You're absolutely right. It would also not matched the saved gif. I've since created signatures against the saved gif using hexdump. I think something got lost on my side in all the decoding/etc.
Thanks, Nicki de Wet ----- Original Message ----- From: "Damian Menscher" <[EMAIL PROTECTED]> To: "ClamAV users ML" <[email protected]> Sent: Saturday, June 18, 2005 6:49 PM Subject: Re: [Clamav-users] Creating your own signatures Your signatures appear to match against base64 encoded data, not against raw binary data. When you clamdscan against img, I'm guessing img isn't really a .gif? That's why your scan "works". You need to create a signature for the binary data. Assuming the images aren't changing, you should probably create md5 signatures (see docs) as that will be much easier for you. By the way, if you have procmail, you could filter off the base64 encoding there (since procmail doesn't decode it first). Damian Menscher -- _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
